The ABC's of the Sobig Virus

Be prepared to deal with a new, more sophisticated Sobig variant, security
experts warn.

The destructive Sobig.F mass-mailing virus has been programmed to stop
working on September 10 but that's not necessarily good news for IT guys around the globe.

That's because security experts expect a more sophisticated variant of the Sobig worm to start crawling through inboxes immediately after the September 10 deadline. "Sobig.G is very likely. It has been a serial process ever since
Sobig started spreading in January this year. Variants come out one at a
time and they never overlap," warned Chris Belthoff, Senior Security Analyst
at Sophos, Inc.

"I won't be surprised if there is a new Sobig variant that comes out soon
after September 10. It certainly fits the profile of this virus," Belthoff
said, urging network administrators to be on high alert for a more
sophisticated worm.

Sobig was first detected in January 2003 as a mass-mailing virus that
used a built-in SMTP client and local Windows network shares to spread. When
that first virus expired, a new variant immediately appeared with the same
characteristics. Since then, it has been a pattern of expirations and
reappearances of the same virus, Belthoff explained.

He said the newer variants have all been "more sophisticated" and "more
destructive" than prior versions, warning that the expected Sobig.G could
cause another round of chaos within corporate networks.

Sobig.F, which got its name from the large attachments that carry the
virus, carpet
bombed the Internet in recent weeks. It ground network traffic to a halt
in many sectors, crashing e-mail servers and causing major headaches for IT
sysadmins across the country.

"There may be a gap of a few days before we see a new variant but we're
pretty sure Sobig.G will appear. The important thing is to prepare properly
for it to minimize the damage," Belthoff explained.

Economic damage from Sobig.F has been estimate in the range of $7
billion, according to statistics from Mi2g, a London-based research firm.
Mi2g's research pegs Sobig as the "third most damaging virus ever." And,
spreading alongside the Blaster and Welchia worms that attacked Windows
systems, Sobig turned into a major
nightmare for IT admins.

David Bloomstein, product manager of Symantec Security Response, said it
was difficult to predict if or when a new Sobig variant will start
spreading. "We're keeping our eyes open for anything. We do know that the
virus deactivates on September 10. That means it won't mass-mail or collect
e-mail addresses. But, the virus can still attempt to download updates from
the list of master servers," he explained.

By retaining the ability to collect updates from master servers
controlled by the unknown virus writer, Bloomstein said new instructions can
be coded to launch a new wave of attacks. "We're on a high state of alert.
Given where we are on the calendar, we're keeping our eyes open and watching
out for anything that can happen," he said.

Sophos' Belthoff said the increased sophistication of new variants called
for industry-wide preparation to blunt future attacks. "[All the previous
variants] were mass-mailing worms that arrived primarily as e-mail. That's
one place to start blocking them," he urged.

Belthoff recommends that enterprise sysadmins block all attachments with
executable files at the gateway. "If you're not blocking it at the gateway,
then you are letting it reach the desktops and you're putting the onus on
employees not to open those attachments." he explained.

"Why companies aren't catching it at the gateway, I don't know. It
should be standard business practice in this day and age to block executable
attachments at the gateway. If executables are necessary for business, it
is easy to set rules and permissions to let them through for certain staff,"
he explained.

If companies block them at the gateway, mass-mailing would have had its
day as a viable transmission method for viruses, he argued.

More importantly, Belthoff and Bloomstein both advocated increased
end-user awareness about the dangers of successful virus attacks. "The
weakest point of security in an enterprise is the home user and the casual
employee using the network. A company that has telecommuters at home
without updated virus protection is at major risk," Belthoff said.

He said large enterprises should consider remote updates for all users.
"Just doing those two things - blocking attachments at the gateway and
remotely updating virus protection for home users - would stop the next
Sobig from spreading so rapidly," Belthoff added.

Symantec's Bloomstein agreed. "First thing, keep your virus definitions
updated. Then, remind your internal users of best practices. No one should
be clicking on stray attachments that they aren't expecting."

"If an admin is concerned about timing and feels there's a threat, then
they could go the extra mile and block executables at the gateway. It
doesn't hurt to be extra cautious," Bloomstein added.

"These should be standard business practices. We shouldn't be singling
out September 11 or any particular date when it comes to network security.
Everyone should be worried about the next Sobig, regardless of the
date."